On February 1, the Federal Trade Commission (“FTC”) issued the staff report Mobile Privacy Disclosures: Building Trust Through Transparency (the “Report”),[1] which provides a series of consumer privacy-focused recommendations for key stakeholders in the mobile app ecosystem, including developers, platform providers, third-party advertising networks, and others.  The Report responds to the explosive growth in smartphone use by consumers within the past few years and focuses on best practices to ensure that consumers receive timely and easy-to-understand information about the personal data that apps collect and how that data is used or shared with third parties.

The report recommendations represent a culmination of efforts initiated by the Commission, as well as other federal and state regulators, during the past several years.  Specifically, the report recommendations are based on the FTC’s final privacy framework[2] released in March 2012; a May 2012 FTC workshop[3] that assessed the need for updated online industry guidance regarding disclosures and privacy practices; and two reports released in 2012 that detailed the results of surveys by FTC staff[4] that examined the privacy disclosures and practices associated with 400 mobile apps targeted to children. The report also draws from recent mobile app industry guidance from the California Attorney General[5], and initial recommendations from the ongoing privacy multi-stakeholder process[6] convened by the National Telecommunications & Information Administration (“NTIA”).

In addition to releasing the staff report, the Commission announced two other items that reflect the Commission’s current focus on mobile app privacy.  As described below, the FTC introduced a new business guide that complements the privacy disclosure report with a set of data security best practices tailored to mobile app developers. The FTC also announced a settlement with a prominent social networking app developer over charges that it deceived users about its data collection practices and violated the Children’s Online Privacy Protection Act (“COPPA”) Rule by collecting personal information from children without their parents’ consent.

Key Recommendations From The Mobile Privacy Report

A summary of the Report’s key recommendations for each stakeholder in the mobile app ecosystem includes the following:

Recommendations for Online Platforms and OS Providers

• Implement clear and understandable just-in-time disclosures and obtain affirmative express consent before collecting sensitive content, such as geo-location data, as well as other contextually sensitive content, including personal contacts, photos, calendar data, or audio and video recordings;
• Develop a unified dashboard that allows consumers to review the types of data accessed by downloaded apps, and inform consumers about the extent to which the platform monitors apps for compliance with the platform’s privacy requirements;
• Consider timely and prominently displayed icons to notify consumers about a particular app’s data collection practices, and offer Do Not Track (DNT) mechanisms for smartphone users to prevent tracking by advertising networks and other third parties;
• Promote best practices within the developer community by educating developers about privacy issues, requiring developers to make privacy disclosures, and enforcing those requirements.

Recommendations for Mobile App Developers

• Ensure that the app includes a privacy policy that can be easily accessed before the user downloads the app;
• Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent that the applicable platform has not already done so);
• Collaborate with ecosystem partners, including ad networks, analytics companies, and other third parties to better understand third-party data collection practices and to ensure that apps are providing accurate disclosures to consumers;
• Participate in self-regulatory programs, trade associations, and industry organizations to obtain guidance on best practices in crafting standard short-form privacy disclosures.

Recommendations for Advertising Networks, Analytics Companies, and Other Third Parties

• Communicate with app developers to ensure that they fully understand the information collected by the third party so that the developer can provide truthful and complete disclosures to consumers;
• Collaborate with platforms to promote the implementation of an effective DNT system for mobile.

Recommendations for App Developer Trade Associations, Academics, Researchers and Others

• Develop short form disclosures for app developers, including icons embedded within the app that depict app privacy practices and “badges” that inform parents and users about an app’s privacy practices prior to download;
• Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
• Educate app developers on key consumer privacy issues and developments.

FTC Mobile App Data Security Guide Recommendations

In conjunction with the release of its mobile app disclosure report, the Commission issued the guide for businesses, Mobile App Developers: Start with Security[7], which outlines practical tips for developers to ensure that the data collected by mobile apps remains secure and protected.  The guide serves as a data security complement to the Commission’s August 2012 mobile marketing guide, Marketing Your Mobile App: Get It Right from the Start[8], which contains suggestions for developers with respect to truthful advertising and the FTC’s final privacy framework.

The FTC’s latest business guide recommends that developers implement “reasonable data security practices” that reflect each mobile app’s target user, its unique configuration, and its app-specific data collection practices. Specifically, the key recommendations within the guide include the following:

• Appoint at least one individual within the organization to focus on data security at each stage of app development;
• Only collect personal data that is necessary for a defined and disclosed purpose;
• Understand the security-related features of different mobile platforms and take any additional measures necessary to protect users;
• Exercise due diligence when using software libraries and third-party code;
• Generate secure user credentials and use encryption to protect important user data;
• Protect internal servers and understand the division of security responsibilities when storing data with commercial cloud providers;
• Be aware of emerging security vulnerabilities and have a plan for shipping security updates if needed;
• Maintain an open dialogue with users about security issues, and ensure compliance with relevant rules and regulations related to financial data, health data, and kids’ data.

The FTC’s Settlement With Path, Inc.

As evidence that the FTC’s efforts to protect consumer privacy will continue to involve a combination of industry guidance and active enforcement, the Commission also announced a settlement[9] with the social networking app developer Path, Inc. over charges that it deceived its users by collecting personal information from their mobile device address books without their knowledge and consent. According to the FTC’s Complaint, Path automatically, and without users’ consent, collected and stored available names, addresses, phone numbers, email addresses, dates of birth, and Facebook and Twitter usernames contained in a user’s address book. The FTC also claimed that Path violated the COPPA Rule by collecting data from approximately 3,000 children under the age of 13 without providing notice or obtaining consent from their parents. 

In resolving the FTC’s allegations, the settlement requires Path to establish a comprehensive privacy program that includes biennial independent privacy audits for the next 20 years. Path will also pay $800,000 in civil penalties to settle the charges that it violated COPPA.  Notably, the settlement with Path comes a little more than a month after FTC Staff revealed that they launched multiple non-public investigations to determine whether certain entities in the mobile app ecosystem are violating the COPPA Rule or engaging in unfair or deceptive practices in violation of Section 5 of the FTC Act.[10]

Conclusion

The release of the FTC staff’s mobile app disclosure report and data security guidance, and the announcement of the enforcement action against Path, coincided with the announcement that FTC Chairman Jon Leibowitz, the FTC’s long-standing advocate for consumer privacy protections, will resign his position at the Commission later this month. Despite Chairman Leibowitz’s departure, these latest developments provide a clear indication that consumer privacy education and enforcement will remain a priority at the Commission for the foreseeable future. 

As a result, all stakeholders in the mobile app ecosystem would be wise to heed the Commission’s recommendations and carefully evaluate their existing privacy practices and disclosures and apply the FTC’s best practices, as appropriate. While styled as “best practices,” considering and implementing such proactive efforts are highly likely to identify and mitigate the possibility of inadvertently engaging in business practices that the FTC (and other regulators and litigants) view as illegal trade practices, which pose exposure to investigations, monetary payments, and long-term restrictions on business practices going forward – none of which is good for business.